The allocation for abort_msg_s does not account for the integer in the struct to store the message length, because of which at some lengths of messages (at multiples of page size) this may result in a buffer overflow. Fix coming up. Thanks to Qualys for reporting this.
The master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578 commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Fixed on trunk.
The release/2.40/master branch has been updated by Siddhesh Poyarekar <siddhesh@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c commit 7d4b6bcae91f29d7b4daf15bab06b66cf1d2217c Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.39/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=808a84a8b81468b517a4d721fdc62069cb8c211f commit 808a84a8b81468b517a4d721fdc62069cb8c211f Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.38/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c32fd59314c343db88c3ea4a203870481d33c3d2 commit c32fd59314c343db88c3ea4a203870481d33c3d2 Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.37/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a3d7865b098a3a67c44f7812208d9ce4718873ba commit a3d7865b098a3a67c44f7812208d9ce4718873ba Author: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Tue Jan 21 16:11:06 2025 -0500 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578)
The release/2.36/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7971add7ee4171fdd8dfd17e7c04c4ed77a18845 commit 7971add7ee4171fdd8dfd17e7c04c4ed77a18845 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.
The release/2.35/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=8b5d4be762419c4f6176261c6fea40ac559b88dc commit 8b5d4be762419c4f6176261c6fea40ac559b88dc Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.
The release/2.34/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=df4e1f4a5096b385c9bcc94424cf2eaa227b3761 commit df4e1f4a5096b385c9bcc94424cf2eaa227b3761 Author: Florian Weimer <fweimer@redhat.com> Date: Wed Jan 22 17:22:02 2025 +0100 Fix underallocation of abort_msg_s struct (CVE-2025-0395) Include the space needed to store the length of the message itself, in addition to the message string. This resolves BZ #32582. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> Reviewed: Adhemerval Zanella <adhemerval.zanella@linaro.org> (cherry picked from commit 68ee0f704cb81e9ad0a78c644a83e1e9cd2ee578) Conflict in sysdeps/posix/libc_fatal.c due to missing cleanup after backtrace removal.